In the ever-expanding world of misleading applications, you might wonder how each new application can stand out from the crowd and get itself noticed. Browsing the Web sites of some of these applications shows that most employ some form of social engineering to persuade potential customers to purchase their products. This social engineering ranges from the subtle language of persuasion to bold warnings concerning your personal and online safety.
The most common social engineering used on these Web sites tells us that just about every online activity is certain to bring spyware and other unwanted pests to your door. Downloading music from the web seems to be the biggest culprit in this area:


IM chatting, online banking, and email activity are also frequently cited as being certain sources of spyware:


Applications that claim to protect your online privacy often target frequenters of adult orientated Web sites. One such application promises to hide your “personal preferences and addictions” to protect your reputation and avoid any potential blackmail scenarios:

(Click for larger image)

Some of the less subtle Web sites we’ve seen use old-fashioned scare mongering to get their messages across:

(Click for larger image)

It also helps to dismiss the competition, especially because users may already have other security applications installed. Claims that antivirus programs are incapable of dealing with spyware are common for misleading applications that claim to be "antispyware":

(Click for larger image)

Some misleading application Web sites also use “on-line scanners” to perform a scan of your computer. Of course these scanners are fake, but their shocking results might encourage the unsuspecting user to consider purchasing the full application:

(Click for larger image)

Another tool we’ve seen used is pop-up windows that appear when you visit certain Web sites. Clicking "OK" on these pop-ups usually redirects the user to the purchase page of some rogue product. The following example displays some convincing information on the “W32.Myzor.FK@yf” virus. The pop-up doesn’t claim you are infected with this virus, but the impressive technical details are probably enough to get some users to bite:

(Click for larger image)

Another neat trick we’ve seen is a “keyboard check-up” that appears in a pop-up window while browsing the site of a system-repair misleading application. This prompts you to type into a text box to check that your keyboard still works. A “fix” button is provided in case your system is faulty:

(Click for larger image)

A closer examination reveals that the input box is an image and the cursor is an animation so of course nothing appears in the box as you type. Clicking the fix button directs you to the vendor’s Web page where you can use your newly repaired keyboard to enter your credit card details and purchase the rogue application in question.
To add a touch of authenticity, the Web sites selling misleading applications often show lists of threat names that are detected by their products or threats that have recently been detected by them in the wild. These names may appear legitimate at a quick glance, but they are usually malformed versions of real threat names or just totally fake. Some names you might see on these lists are:
• w32.myzor.fk@if
• w32.myzor.fk@yf
• w32.expdwnldr
• trojanspm/lx
• trojan.dloader/lx
• spyworm.win32
• win32.trojan.rx
• wollf.16
• ipmonitor.win32.xtrojan
• trojan.w32.looksky
• trojan adware.w32.expdwnldr
In a later blog we will look at some of the social engineering techniques used by these applications after they have been installed on your system.


More...